Kaspersky Lab's "Red October" cyber-espionage saga leaves lots of questions unanswered

Moscow-based anti-malware firm Kaspersky Lab says it's uncovered a years-long cyber-espionage campaign using phishing to target individuals in business, research and government offices mainly in Russia and Eastern Europe to steal sensitive data. This cyber-spy operation is also suspected to be run by Russian speakers. More about all of this is expected in the next day or so from Kaspersky Lab, which has lent an aura of drama to it all by calling the malware and its use "Red October."

RELATED: 12 must-watch security start-ups for 2012

MORE: 25 crazy and scary things the TSA has found on travelers

Americans would tend to connect the name "Red October" with the popular Cold War-based spy thriller "Hunt for Red October" written by Tom Clancy and the movie by the same name with actor Sean Connery as the USSR nuclear-submarine captain who violates orders to head toward the U.S. to defect. But for Russians, the name "Red October" evokes something far different: It was the day of Oct. 23, 1917 when a vote in favor of an armed uprising by Russia's Bolshevik socialist revolutionaries led to a fast coup that toppled the western-style democrat Russian Provisional Government formed after the overthrow of the czar, ushering in decades of Communist dictatorship.

Some looking at the information that Kaspersky has provided so far about "Red October" are wondering if it's mainly a Russian vs. Russian botnet operation that could involve some of Russia's moneyed industrialists in the oil and gas business, for instance, spying on the government, or vice versa. Or perhaps spying on each other by attaining information from a third-party operating a botnet compromising both computers and handheld mobile devices.

"It's a very interesting case study," says Sean Sullivan, security adviser at F-Secure, the anti-malware firm headquartered in Finland. The entire operation could well involve Russia's "competing oligarchs," a term often used to describe the business magnates and billionaires who rose to power in industries such as oil and gas after the official end of the Soviet Union. Their battles among themselves and the Russian government have spilled with vehemence into the public eye from time to time. Still, in the drama of Kaspersky's "Red October," the espionage might still have something to do with China, Sullivan says.

Kaspersky Lab, which so far has merely stated it appears the cyber-espionage is organized by Russian speakers, isn't saying more yet, though the firm is pushing out volumes of technical detail about the malware dubbed Rocra for short, claiming it all means that the Red October cyber-espionage rivals that of the Flame botnet cyber-espionage discovery Kaspersky made last year. So far, the security firm is describing the individuals as "high-profile" people associated with government agencies and embassies, nuclear and energy research organizations and companies in the oil, gas and aerospace industries. Most targets have been in Russia, Kazakhstan or Azerbaijan, according to what Kaspersky has said so far.

Sullivan says so far the technical descriptions of Red October supplied by Kaspersky Lab do not make it that unusual from any other botnet-controlled effort to compromise victim computers or mobile devices.

But as Kaspersky unwinds its tale of Red October there was a blog item today about more technical aspects with a full report expected out within the next few days -- there is one aspect of it that should be no surprise. Like many other anti-malware firms that have garnered headlines due to botnets they uncovered McAfee, for instance, has done much the same in the past there's the benefit in boosting the brand name in the public eye as headlines appear. Kaspersky says its discovery came from someone who asked the security firm last October to look into a spear-phishing campaign.

At the end of January at the Dream Downtown Hotel in New York City, Kaspersky Lab's founder Eugene Kaspersky is expected to be on hand to participate in an event called "How Cyber-Warfare Impacts Corporate Security," where Howard Schmidt, former cyber-security coordinator for the Obama Administration is also expected to attend. The event is also expected to include a Kaspersky endpoint product announcement which only shows cyber-war can be a good tie-in to marketing.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.